Security Vulnerability Disclosure — NY Health Insurance Exchange
Last Saturday (12/5/15), I got an email from the New York State of Health website informing me that I had a new message waiting for me on their website. After fumbling my way through their login process and eventually to my message inbox, I clicked to view my new message. I expected the message to appear on screen, but instead a pdf was downloaded. A pdf titled “Template012.pdf.” A strange way to implement an messaging system; I figure the pdfs are intended to be printed out an mailed and the message inbox just links to the electronic copy of the file on some file server. I recently implemented file uploading and downloading on my website, so I got curious about their implementation. Within about 30 seconds I discovered that I, or any logged in user, could download any message regardless of the intended recipient. That was quite worrisome considering that the messages all contain names, addresses, and account numbers, and depending on the type of message it could contain household member names and account numbers, income information, and health insurance selections.
Technical Notes
(I waited until the vulnerability was fixed before posting this, so these instructions no longer work. You can still follow along, you’ll just get a “forbidden” error message instead of downloading an unauthorized message)
To replicate:
Login to NY State of Health: https://nystateofhealth.ny.gov/individual
Go to dashboard: https://nystateofhealth.ny.gov/individual/individualdashboard/hx_overviewInfo?iId=
Click “Inbox”
In the “Messages” table the right most column has a envelope icon. Clicking on it will download a pdf of the message. Instead of clicking, right click and copy the url.
Paste the url to the address bar. It will look something like this:
Where dcnToken=NXXXXXXXXXXXX is a capital N followed by a 12 digit number.
Modify the number. They appear to be sequential, so a number near the one that you started with should work.
Hit enter, a pdf should be downloaded. The pdf will be a message that isn’t intended for you.
Analylsis:
The dcnToken is a file specifier. Anybody logged in user with the dcnToken corresponding to a file can download that file. The dcnTokens appear to be sequential, so given a good dcnToken it is very easy to find more valid dcnTokens.
Reporting
I called the site’s customer service number to report the vulnerability, but it took about 4 operators before I got one that understood what I was talking about. Even then I wasn’t sure if he had the means to report the problem properly, so I emailed CSC (the company that made the site) and reported it directly to them. This is the email I sent them:
CSC,
I’ve discovered a security vulnerability on the NY State of Health website which allows any logged in user to view messages that are intended for other users. The messages contain sensitive private information including account numbers, names, addresses, income information, etc. I’ve reported the problem to NY State of Health customer service but I’m not sure if that’s the proper channel. Please let me know who I can report the technical details of this vulnerability to. In accordance with responsible disclosure I have not disclosed this vulnerability publicly.
Their senior software engineer called me a few hours later and I explained the situation to him. A few hours after that the file server was shutdown, and a couple of days after that it was back up with the bug fixed.
Severity
If a malicious actor had learned of this vulnerability before the fix it would have been devastating. It seems that messages are sent to users every time they update their health insurance selection or change their eligibility, and as far as I can tell the messages contain all of the sensitive information pertaining to the updates. That means that by iterating through and downloading the messages, an attacker would have recovered the majority of their user data. The worst part is that we have no idea if this happened, and based on the lack of basic security implementation I seriously doubt that CSC has the logs to determine if such an attack took place.
